A practicing CISO's perspective on managing information security in large enterprises.

Wednesday, February 11, 2009

FTC Investigates the Geeks

Geeks.com (which sounds like a dating site for programmers but is actually an online discounter of computer equipment) got hit by the US Federal Trade Commission last week. (For international readers the FTC is a US government agency primarily concerned with consumer protection).

The complaint and settlement make for a brief and interesting read. The FTC doesn't seem to think much of Geeks.com's security, but takes even less kindly to their apparent misrepresentation of the security measures they do have in place. Note to CISOs - make sure you know what the marketing department is saying about your security to the outside world. And make sure that your security policy actually reflects what's going on in your organizaiton. As any lawyer will tell you, it is better to have no policy in place than a policy you haven't actually implemented.

Getting hit by the FTC is no fun. The settlement will force Geeks.com to subject itself to ongoing audits for many years to come. The overall cost of this action are enormous - hiring outside counsel to deal with the FTC, the bureaucratic overhead of maintaining all the newly required paperwork, and so forth.

I have posted in the past on justifying security spending. A joe-average data breach seems to have lost its shock value and in some instances may even, ironically, provide leser known companies with some brand recognition. But FTC actions like the one against Geeks.com carry real costs, imposing huge administrative burdens and damaging the brand, if not in the eyes of consumers then at least in the eyes of investors. (The New York Law Journal has a good overview of the overall costs of FTC investigation).

Is a post-breach investigation by the FTC something that companies should be worried about? A back of the napkin calculation shows that the answer is probably not. There were hundreds of public data breaches last year, and yet scanning the FTC website for actions in 2008 shows that there only a few dozen investigations of any kind in any given month, and very few of those were information security related.

It doesn't take a genius to predict that greater regulation is forthcoming as a result of the new administration and the collosal failure of current institutions like the SEC to prevent Madoff-like frauds. This will affect not only the financial accounting but also seeming unrelated areas like information security. Although the current risk of investigation by the FTC is very low, security is about an overall narrative that can be used to address a wide range of upcoming regulations.

One final noteworthy point about the FTC judgment. It specifically lists SQL injection as a form of attack that Geeks.com should have taken measures to prevent. This is part of an ongoing development in requiring companies to take reasonable steps to prevent well-known attacks. PCI references (an albeit outdated version of) the OWASP Top 10, but there have been few cases I know of in which a specific technical vulnerability is mentioned in an FTC action. I suspect we will be seeing more of this in the future.